UK telco watchdog Ofcom, Minnesota Dept of Ed named as latest MOVEit victims
As another CVE is assigned
Two more organizations hit in the mass exploitation of the MOVEit file-transfer tool have been named – the Minnesota Department of Education in the US, and the UK's telco regulator Ofcom – just days after security researchers discovered additional flaws in Progress Software's buggy suite.
Ofcom disclosed this week it is among the businesses and public bodies that have had their internal data stolen by crooks exploiting a MOVEit flaw. Russia's Clop ransomware crew has since claimed it has been going around abusing the vulnerability in MOVEit deployments to steal documents and demanding payment not to leak the info.
"A limited amount of information about certain companies we regulate – some of it confidential – along with personal data of 412 Ofcom employees, was downloaded during the attack," Ofcom revealed in a statement yesterday.
The watchdog said it took "immediate action" to remediate the issue and beef up its security.
"We also swiftly alerted all affected Ofcom-regulated companies, and we continue to offer support and assistance to our colleagues," the regulator added. "No Ofcom systems were compromised during the attack."
An Ofcom spokesperson declined to answer any additional questions about the attack – including what specific data was stolen, who is responsible for the attack, and whether the intrusion occurred in an Ofcom-run MOVEit instance, or at a third party (such as payroll and human resources services provider Zellis).
This is what transparency looks like
Minnesota's Department of Education (MDE), meanwhile, provided substantially more detail about what happened during the theft of its data.
The state agency said Progress Software alerted it to the security vulnerability on May 31, and on the same day "an outside entity" accessed 24 MDE files on a MOVEit server.
MDE's data breach advisory, posted on Friday, said the compromised files included "data transferred to MDE from the Minnesota Department of Human Services (DHS) to meet state and federal reporting requirements, as well as files from two school districts (Minneapolis and Perham), and Hennepin Technical College."
Information therein contained about "95,000 names of students placed in foster care throughout the state, 124 students in the Perham School District who qualified for Pandemic Electronic Benefits Transfer (P-EBT), 29 students who were taking PSEO classes at Hennepin Technical College in Minneapolis, and five students who took a particular Minneapolis Public Schools bus route."
The foster care students' files included their names, dates of birth, and county of placement.
Additionally, the P-EBT and PSEO files contained student names, dates of birth, some home addresses and parents' or guardians' names. PSEO participants' data also included their high school and college transcript information, and last four digits of the student's social security number.
The files related to the Minneapolis Public Schools bus route only included the five kids' names.
MDE: 'No financial info stolen' – so that's all right then
"No financial information was included in any of the files in this data breach," the department's advisory added. "MDE is currently working to notify those individuals whose data was accessed. To date there have been no ransom demands nor is MDE aware that the data has been shared or posted online."
The miscreants didn't upload any malware to MDE's systems during the breach, so it's thought. And upon discovering the intrusion the state notified the FBI, Minnesota Bureau of Criminal Apprehension, and Office of the Legislative Auditor about the situation.
"Though no financial information was accessed, MDE recommends individuals who may have been impacted take precautionary measures to protect themselves, such as accessing and monitoring your personal credit reports," the advisory continued.
While the Minnesota students' information hasn't been posted on Clop's leak site, nor has the gang demanded any ransom from the state agency. MDE director of communications Kevin Burns told The Register that the department believes the attack exploited the initial MOVEit vulnerability, CVE-2023-34362, which Progress patched on May 31.
"We have not been contacted by the folks who did this, but our assumption is this was part of the larger global occurrences that happened in and around that same day," Burns said.
The list of victims will likely get longer, as on Friday security researchers uncovered more MOVEit vulnerabilities.
- Hold it – more vulnerabilities found in MOVEit file transfer software
- Clop ransomware crew sets June extortion deadline for MOVEit victims
- Microsoft stole our stolen dark web data, says security outfit
- Lantum S3 bucket leak is prescription for chaos for thousands of UK doctors
Progress said that discovery was made by cyber security firm Huntress, which it had engaged to conduct a detailed review of its code. As of Monday at least one of these has a CVE number: CVE-2023-35036.
"An attacker could submit a crafted payload to a MOVEit Transfer application endpoint that could result in modification and disclosure of MOVEit database content," according to the MITRE description of the new CVE.
Progress has since patched CVE-2023-35036.
While the investigation into both – and possibly additional MOVEit vulnerabilities – remains ongoing, Progress said it has not seen any indication that the new bugs have been found and exploited by criminals.
Also on Friday, risk analysis firm Kroll said Clop likely knew about the bug as far back as 2021. ®